Android Malware Set for July 4 Carries Political Message

McAfee Mobile Security has identified a new Android Trojan embedded in a pirated copy of an exclusive app from rapper Jay Z. We suspect the malware author is attempting to go after the demand for the app Magna Carta Holy Grail on pirated sites. The legitimate app has been released exclusively for Samsung devices on Google Play.

On the surface, the malware app functions identically to the legit app. But in the background, the malware sends info about the infected device to an external server every time the phone restarts. The malware then attempts to download and install additional packages. The only visible indication that a user is infected comes via a time-based trigger that is set to activate on July 4, Independence Day in the United States. On that day, the malware will replace the wallpaper on the infected device with an altered image (below, second from right) of President Obama that comments on recent events in the United States. Based on the political message and the fact that it was embedded in an app that coincides with the release of Jay Z’s latest album, we suspect the Trojan was recently introduced into the wild.


The image and the service name NSAListener suggest a hacktivist agenda, but we haven’t ruled out the possibility that additional malware may target financial transactions or other data.

Mobile malware seems to have no bounds when it comes to tactics or growth rates. To paraphrase lyrics from Jay Z, it seems Android malware has 99 problems and Android/AntiObscan just became another. We recommend that you always be cautious when downloading apps from unknown sources and keep your security product updated.


Spammers Kickoff Sale for United States Independence Day

Independence Day in the United States is a federal holiday, commonly known as the 4th of July. It is traditionally celebrated with various political speeches, ceremonies, fireworks, and parades. Spammers are exploiting the holiday by sending numerous spam messages related to Independence Day events. Many of the spam samples observed are encouraging users to take advantage of clearance sales on cars, as well as other product offers.

Spammers Independence 1.jpeg

Figure 1. Financial spam targeting U.S Independence Day

This spam email tries to lure users by stating that the 4th of July event is already seeing a record demand in 2013 vehicles. By clicking the link provided in the email, the user is redirected to the Web page and asked to select the type of car model for a price comparison. After entering the details it takes the user to the Web page where they have to enter their personal details, email address, and payment details.

We have observed the following subject lines regarding the clearance sale spam attacks for the United States Independence Day:

  • (July 4th) Independence Day Sale - Insane!
  • Retrieve 4th of July Day Prices On All Cars Today
  • Every 2013 automobile is (50%-off) July 4th
  • Summer Kickoff (4th of July deals start now)
  • INCREDIBLE 4th of July Savings on New Cars in Your Area xxx!

Spammers Independence 2.jpeg

Figure 2. Product offer spam targeting the 4th of July

Recently, it has become a trend for spammers to invite users to purchase the products with a bogus coupon code for a discount. The discount codes used in the spam attacks are seen as JULY [RANDOM NUMBERS] and attempt to lure users into clicking a link in order to take advantage of the United States Independence Day offer.

The following example is from a spam email that encourages users to take advantage of bogus offers on pharmaceutical products. By clicking the URL, the user is redirected to a fake pharmaceuticals website. Users should be careful around fake promotions.

Spammers Independence 3.jpeg

Figure 3. Fake pharmaceutical products promotion webpage

Symantec advises our readers to be cautious when handling unsolicited or unexpected emails. We at Symantec are constantly monitoring spam attacks to ensure that our readers are kept up-to-date with information on the latest threats.

Happy Independence Day!

Fake Application Found on Amazon Appstore for Android

Keeping an app store free of malicious applications can be a hard task as we have discussed in our previous blogs. Fake or misleading applications, in particular, are often the hardest to spot because it is not always obvious whether they do what they claim to do.

Our automated systems flagged an egregious example of a misleading application that was posted to the Amazon Appstore for Android.

The application, named Password Wifi Hacker Plus, purports to crack passwords of nearby Wi-Fi networks. However, the application only pretends to do so and displays fake dialog boxes.

Figure. Password Wifi Hacker Plus fake dialog box.png

Figure. Password Wifi Hacker Plus fake dialog box

In the meantime, the application is bundled with six different advertising network components, some of which are quite aggressive. These advertising components may leak information, such as your location, display advertisements in the notification panel, create icons on your home screen, add bookmarks, and display incessant pop-ups.

We have notified Amazon of the presence of the application on their Appstore.

We recommend installing a security app, such as Norton Mobile Security, which detects the application already as Android.Fakeapp.

For general safety tips for smartphones and tablets, please visit our Mobile Security website.

How the US (probably) spied on European allies’ encrypted faxes

Part of a secret document published by The Guardian detailing "Dropmire," a program that reportedly spied on encrypted faxes sent to the European Union's Washington, DC, mission.
The Guardian

US intelligence services implanted bugging tools into cryptographic facsimile devices to intercept secret communications sent or received by the European Union's Washington, DC outpost, according to the latest leak from former National Security Agency staffer Edward Snowden. Technical details are scarce, but security experts reading between the lines say the program probably relies on an old-school style of espionage that parses electric currents, acoustic vibrations, and other subtle types of energy to reveal the contents of encrypted communications.

The bugging method was codenamed Dropmire, and it appears to rely on a device being "implanted on the Cryptofax at the EU embassy, DC," according to a 2007 document partially published Sunday by The Guardian. An image included in the document, presumably taken from a transmission traveling over a targeted device, showed highly distorted text that can just barely be read by the human eye as the letters "EC" followed by "NCN." The fax device was used to send cables between foreign affairs ministries and European capitals, according to Sunday's report.

The ability to approximate the plaintext message but not capture it as it appeared when fully decrypted likely means Dropmire didn't crack the precise algorithm or key used to encrypt the message. That—along with the detail about something being "implanted" in the fax device—has led to speculation that the program monitored electrical, mechanical, or acoustical energy emanating from the device to deduce clues about the plaintext messages being received. Such techniques fall under the umbrella term Tempest, which was coined more than three decades ago as an NSA tactic for reading sensitive communications relating to national security. More recently, Tempest has come to mean any investigation or analysis that uses so-called "compromising emanations" to reveal the contents of sensitive communications or lead to the decryption of encrypted data.

Read 11 remaining paragraphs | Comments